From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <008701c16c9c$57155b80$2248dec2@falken> From: "Chris Hollis-Locke" To: <9fans@cse.psu.edu> References: <20011113230455.25131199B9@mail.cse.psu.edu> Subject: Re: [9fans] dhog the corruptor! MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Date: Tue, 13 Nov 2001 23:38:46 +0000 Topicbox-Message-UUID: 21d4bb76-eaca-11e9-9e20-41e7f4b1d025 > Brucee's implementation just patches the call to point to the > correct destination. You don't have to walk any machine code. MS VXDs work in a similar way - they call it something like 'snap' linkage. The 'unlinked' call is to a lookup function that patches the caller (determined by return addr on the stack) to the actual entry point. The downside is that you cannot easily unload or replace a driver that is linked in such a way, which explains why there are so many "You must now reboot your computer" messages. The new WDM may do things differently, I haven't looked at that yet.